Mutt/GnuPG doc initial release

Len Sassaman rabbi@quickie.net
Tue Sep 25 01:02:01 2001 

The issue isn't PGP signing messages to mailing lists, it's the MIME
attachments.

Some of the mailing lists I am on strip MIME attachments altogether.
Others have web based archives. Others have digest versions.

Conventional PGP signatures still verify on all of these lists. PGP/MIME
does not.


--Len.

On Mon, 24 Sep 2001, Janusz A. Urbanowicz wrote:


> Alexander Skwar wrote/napisa=B3[a]/schrieb:

> [Charset iso-8859-1 unsupported, filtering to ASCII...]

> > So sprach _Janusz A. Urbanowicz_ am 2001-09-24 um 13:44:47 +0200 :

> > > Len Sassaman wrote/napisa?[a]/schrieb:

> > > > Frankly, it's poor netiquette to post PGP/MIME messages to mailing =

lists,

> > > > for one,

> > >

> > > Why?

> >

> > Because normally it's not that terribly important to see from which

> > person a mail orginated.  You know, I don't know you, so even if your

> > mail would have been signed, it wouldn't mean more to me.  Also Werner'=

s

> > mails to this list wouldn't mean more to me if they were signed, becaus=

e

> > he's also just a stranger.

>

> I don't think so.

>

> > So, it doesn't add anything which means that it's unneeded and thus poo=

r

> > netiquette.

>

> And I think you are wrong or haven't done proper threat analysis. Case 1:

> someone impresonating Werner posts a message about a bug in GnuPG and a

> patch to fix it. This patch actually plants a backdoor. In your approach,

> you have no way to tell nor it makes any difference to you.

> Case 2 (real life example): a friend of mine is an active usenetter, she

> also posts a lot to mailing lists. One day a sexually suggestive (at the

> verge of explicit) forged messaged attributed to her started to appear. P=

GP

> signing was the simplest way to make a good distinction of which messages

> come from her and which are forgeries.

>

> In saying about 'strangers' you forgot one thing: while on everyday use o=

f

> PGP there is little need to use it to establish RL identity, it is a very

> good and a convenietnt way of establishing origin. I don't care much if

> Werner's name is actually Werner, but I do care if new GPG releases come

> from its author.

>

> A good example is remailer-operator list. Anon remailer operators need no=

t

> to know each other's identities (I'm one of the few who reveal their name=

s)

> but need to know if given remailer configuration changes come from the

> remailer's operator (because of MITM).

>

> Alex

> --

> C _-=3D-_ H| Janusz A. Urbanowicz | ALEX3-RIPE | SF-F Framling |         =

|   *

>  ; (_O : +-------------------------------------------------------------+ =

--+~|

>  ! &~) ? | P=B3yn=B1=E6 chc=EA na Wsch=F3d, za Suez, gdzie jest dobrem ka=

=BFde z=B3o | l_|/

> A ~-=3D-~ O| Gdzie przykaza=F1 brak dziesi=EAciu, a pi=E6 mo=BFna a=BF po=

 dno;     |   |

>


--

Len Sassaman

Security Architect            |  "I must play their game, of
Technology Consultant         |   not seeing I see the game."
                              |
http://sion.quickie.net       |                --R .D. Laing